The question is often asked, "If I create a restore point, install
software, do a bad deed, and then restore the system to the original state,
is the evidence of the software installation gone?" The answer is yes
and no! The answer is "Yes" if you are looking at the current mounted
registry for the information. The answer is "No" if you are looking at
the registry within a specific restore point.

When a system is restored using "System Restore", before reverting back
to the chosen restore point, system restore creates yet another restore
point capturing a snapshot of the system before the system restore.
This restore point will be named "Restore Operation", which can be
found at byte
offset 2 in the "rp.log" file. It is this restore point that will
contain the software binaries and the registry information as it was at the
time of the "bad deed".

If you know when the bad deed occurred, you could go directly to the
restore points created around that time. If you had no idea when or if
such an event occurred, you could search all "rp.log" files for the string
"Restore Operation". Once found, simply mount the registry files and
begin your examination. Remember to look for the renamed program
binaries as well.

Another forensic bonus lies in the fact that "system restorals" are
recorded in the Windows event logs. For those of you who think that
because Windows XP logging is dismal out of the box, guess again because
certain events are recorded regardless, with system restorals being such an
item. The event record will be found in the system event log file and
will appear as event id "110". Thus you could filter your system event
log files for event id "110" and determine when the system was restored.

This web site was created to provide assistance to computer
forensics examiners engaging in
cyber-crime investigations. This field is rapidly evolving and changing as
technology marches forward. It is, therefore, intended to be a growing and
evolving resource. As you conduct your examinations and investigations, if you encounter
information, links, or have suggestions that would help others, please let
me know so I can add it to this site. My email address is sbunting@udel.edu
. Thank you.